WCG’s Response to the Evolution of Apache Log4j Major Software Vulnerability
At this time, you do not need to take any action related to this vulnerability. The note below outlines what WCG knows about the vulnerability and how we are continuing to monitor the ever-changing situation.
On Friday, December 10, 2021, WCG was initially made aware of a vulnerability in software that is used widely across the internet. The vulnerability, known as “Log4J”, continues to change in its scope and depth since December 10th. WCG has been actively monitoring the fluid situation and any potential impact on our business or to the way our clients interact with our products.
When we first learned about the vulnerability and the changes that were to follow, we immediately assessed any exposure to the vulnerability for our clients, our internal infrastructure, and its impact across WCG. As expected, some operational tools continue to require new patches, but we have not found any direct exposure to our client-facing technology. Again, at this time, you do not need to take any action.
We continue to actively monitor the situation associated with the various Log4j vulnerabilities (referred to as CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, and CVE-2021-45105). As new developments arise we will continue to assess the impact for any potential threats. In addition, we have open, constant lines of communication with our technology partners to ensure they are following their due diligence for added layers of protection.
As the situation changes, we will continue to update this notice to keep you informed.
If you are a WCG or WCG IRB client and have any questions, please contact your relationship manager directly.
|Dec. 10, 2021||Alerted and assessed for CVE-2021-44228.|
|Dec. 14, 2021||Alerted and assessed CVE-2021-45046 and CVE-2021-4104.|
|Dec. 15, 2021||Alerted and assessed CVE-2021-45105.|
|Dec. 22, 2021||Updated public communication about WCG’s continuous monitoring of Log4J vulnerabilities. As expected, some operational tools continue to require new patches, but we have not found any direct exposure to our client-facing technology, infrastructure or services. Again, at this time, you do not need to take any action.|